Tech Support Guy banner
Cancel

Darn secure32.html got me!

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 151 Posts
G

· Registered
Joined
·
84 Posts
Discussion Starter · #1 ·
Before I even start I want to thank the people in this forum for any help they might be able to give.

I've had this computer a couple years now and managed to stay clean but now my grandson somehow got it infected. I've read through several fixes on various forums and made several attempts to repair it,, but without success. It appears that every solution is oriented to specific HijackThis logs. I've already downloaded HijackThis, Killbox, Cleanup and AVG Free. Following is the HijackThis log I ran a few minutes ago. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 1:04:36 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\{98E75D56-0833-1033-0204-050804030001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{98E75D56-0833-1033-0204-050804030001}] "C:\Program Files\Common Files\{98E75D56-0833-1033-0204-050804030001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvhah.dll,startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskManager] C:\WINDOWS\TaskMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks again,
Mike
 
Cheeseball81

· Retired Moderator
Joined
·
84,466 Posts
#2 ·
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 
G

· Registered
Joined
·
84 Posts
Discussion Starter · #3 ·
Thanks for your response Cheeseball. Here's the report from SmitfraudFix.

SmitFraudFix v2.132

Scan done at 20:10:23.67, Sun 01/07/2007
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\autosys.exe FOUND !
C:\WINDOWS\system32\svchosts.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Owner\Application Data

C:\Documents and Settings\HP_Owner\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HP_Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks,
Mike
 
Cheeseball81

· Retired Moderator
Joined
·
84,466 Posts
#4 ·
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
 
G

· Registered
Joined
·
84 Posts
Discussion Starter · #5 ·
Note: After rebooting my Zone Alarm caught csrss.exe and update.exe trying to access the iternet. I also noticed a bunch of files in my root directory that don't appear to belong there. They are:
-1729667754
bghtcbd.exe
bhbn.exe
eitpgmoi.exe
ihnf.exe
klnl.exe
nhaqlflb.exe
omepavy.exe
tdd.exe
ydkdohw.exe

Following is the rapport.txt file:

SmitFraudFix v2.132

Scan done at 12:55:05.40, Mon 01/08/2007
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\autosys.exe Deleted
C:\WINDOWS\system32\svchosts.exe Deleted
C:\Documents and Settings\HP_Owner\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks,
Mike
 
Cheeseball81

· Retired Moderator
Joined
·
84,466 Posts
#6 ·
Download AVG Anti-Spyware from HERE and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.

  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
  4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
  1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
  2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG will now begin the scanning process. Please be patient as this may take a little time.
    Once the scan is complete, do the following:
  5. If you have any infections you will be prompted. Then select "Apply all actions."
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
  8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.
 
G

· Registered
Joined
·
84 Posts
Discussion Starter · #7 ·
I ran AVG in safe mode and rebooted in normal mode. As it was rebooting I got an error message saying winlogon.exe failed because sfg_os.dll was not found. It started anyway and I was able to logon. Then when starting ieexplore another error message popped up saying ieexplore failed because msvcrl.dll was not found and ieexplore wouldn't run. So, I'm unable to run a scan at pandasoftware or post the AVG log. In both instances the error message stated I may be able to reinstall to correct the problem. I don't know if it means reinstall the whole program or just the named files or, for that matter, how to do either. Neither of those filenames appear in the AVG log.

Mike
 
G

· Registered
Joined
·
84 Posts
Discussion Starter · #10 ·
I ran a new HijackThis then took a chance and copied the AVG and HJT logs to a floppy and transferred them to my other computer. So here they are.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:47:47 PM 1/9/2007

+ Scan result:

C:\Documents and Settings\HP_Owner\My Documents\DELETED FILES\IA\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\My Documents\DELETED FILES\IA\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winuqw32 -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\My Documents\DELETED FILES\Bar888.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\install.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win60.tmp.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\tdd.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\Program Files\Media Access -> Adware.MediaAccess : Cleaned with backup (quarantined).
C:\Program Files\Media Access\Info.txt -> Adware.MediaAccess : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\My Documents\DELETED FILES\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\My Documents\DELETED FILES\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{98E75D56-0832-1033-0204-050804030001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{98E75D56-0832-1033-0204-050804030001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{98E75D56-0833-1033-0204-050804030001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{98E75D56-0833-1033-0204-050804030001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{98E75D56-0834-1033-0204-050804030001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{98E75D56-0834-1033-0204-050804030001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc2\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc2\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc3\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc3\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2100259221-3131916128-32591523-1009\Dc1\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2100259221-3131916128-32591523-1009\Dc1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win65.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sfc_os.dll -> Downloader.SFC.os : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\4BBSO3Y5\L2[1].exe -> Downloader.Small.dod : Cleaned with backup (quarantined).
C:\Program Files\Common Files\ikqr\ikqrd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msvcrl.dll -> Logger.Goldun.on : Cleaned with backup (quarantined).
C:\!KillBox\drvsod.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\mst64.tmp -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvhah.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvzab.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected]lemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\HP_Owner\My Documents\DELETED FILES\VSAdd-in\VSAdd-in.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\My Documents\DELETED FILES\msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\My Documents\DELETED FILES\IA\KE.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\9793 -> Worm.Banwarum.f : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 1:43:52 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\csrss.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskManager] C:\WINDOWS\TaskMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks,
Mike
 
Cheeseball81

· Retired Moderator
Joined
·
84,466 Posts
#11 ·
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\p2pnetworking.exe
C:\WINDOWS\TaskMgr.exe
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe

O4 - HKCU\..\Run: [TaskManager] C:\WINDOWS\TaskMgr.exe



Reboot and post another Hijack This log please.
 
G

· Registered
Joined
·
84 Posts
Discussion Starter · #12 ·
Note: Still getting "sfg_os.dll was not found" at boot-up. Also still getting csrss.exe trying to access the internet.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\obytyxnu

*******************

Script file located at: \??\C:\Program Files\vbjyuenp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\p2pnetworking.exe not found!
Deletion of file C:\WINDOWS\system32\p2pnetworking.exe failed!

Could not process line:
C:\WINDOWS\system32\p2pnetworking.exe
Status: 0xc0000034

File C:\WINDOWS\TaskMgr.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 4:13:13 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\csrss.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks,
Mike
 
Cheeseball81

· Retired Moderator
Joined
·
84,466 Posts
#13 ·
Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Don’t do anything with it yet!

Click here for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient and let it complete.

Reboot back to Normal Mode!

  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Copy and paste WinPFind.txt in your next post here please.
 
G

· Registered
Joined
·
84 Posts
Discussion Starter · #14 ·
The entire winpfind.txt would not fit into 1 post so I've divided it in about half. Here is the first half and the second half will be in the next post.

winpfind.txt:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 1/11/2007 12:06:36 PM
WinPFind v1.5.0 Folder = C:\Documents and Settings\HP_Owner\Desktop\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 1/7/2007 1:05:42 PM 35328 C:\WINDOWS\csrss.exe ()
UPX! 1/1/2007 1:12:18 AM 4608 C:\WINDOWS\temp.exe ()

Checking %System% folder...
UPX! 1/1/2007 5:31:22 PM 4608 C:\WINDOWS\SYSTEM32\15008 ()
UPX! 1/3/2007 10:32:30 AM 4608 C:\WINDOWS\SYSTEM32\23866 ()
UPX! 1/7/2007 1:05:42 PM 35328 C:\WINDOWS\SYSTEM32\4844 ()
WSUD 9/20/2004 2:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
UPX! 1/3/2007 12:12:02 AM 81684 C:\WINDOWS\SYSTEM32\amehjjpg.dll ()
PEC2 8/4/2004 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
UPX! 1/7/2007 1:04:48 PM 81684 C:\WINDOWS\SYSTEM32\iddopxfy.dll ()
PTech 6/19/2006 3:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
UPX! 1/3/2007 12:11:56 AM 88340 C:\WINDOWS\SYSTEM32\mexxafxy.exe ()
PECompact2 8/9/2006 11:03:06 AM 8325544 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 8/9/2006 11:03:06 AM 8325544 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
UPX! 1/3/2007 6:02:46 PM 118804 C:\WINDOWS\SYSTEM32\naxjtxth.dll ()
aspack 8/4/2004 11:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/4/2004 11:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
UPX! 1/3/2007 12:11:46 AM 44060 C:\WINDOWS\SYSTEM32\qkgvjwuc.dll ()
Umonitor 8/4/2004 11:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 1/7/2007 8:09:04 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe (S!Ri)
UPX! 1/7/2007 8:09:06 PM 135168 C:\WINDOWS\SYSTEM32\swreg.exe (SteelWerX)
UPX! 1/7/2007 8:09:06 PM 40960 C:\WINDOWS\SYSTEM32\swsc.exe ()
UPX! 1/7/2007 8:09:06 PM 79360 C:\WINDOWS\SYSTEM32\swxcacls.exe (SteelWerX)
winsync 8/4/2004 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PTech 6/19/2006 3:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)
UPX! 1/11/2007 11:58:36 AM 118804 C:\WINDOWS\SYSTEM32\wgwhfiul.dll ()
PEC2 1/1/2007 12:49:16 AM 16896 C:\WINDOWS\SYSTEM32\winuqw32.dll ()
PECompact2 1/1/2007 12:49:16 AM 16896 C:\WINDOWS\SYSTEM32\winuqw32.dll ()
UPX! 1/3/2007 12:05:28 AM HS 22541 C:\WINDOWS\SYSTEM32\wvuvuuu.dll ()

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/11/2007 12:04:04 PM S 2048 C:\WINDOWS\bootstat.dat ()
1/2/2007 3:35:18 PM HS 2 C:\WINDOWS\system32\cmd.com ()
1/3/2007 6:03:06 PM HS 37559 C:\WINDOWS\system32\htxtjxan.ini ()
1/11/2007 11:58:42 AM HS 295 C:\WINDOWS\system32\luifhwgw.ini ()
1/2/2007 3:35:18 PM HS 2 C:\WINDOWS\system32\ping.com ()
1/4/2007 4:50:28 PM HS 22541 C:\WINDOWS\system32\pmnonmj.dll ()
1/2/2007 3:35:18 PM HS 2 C:\WINDOWS\system32\regedit.com ()
1/2/2007 3:35:18 PM HS 2 C:\WINDOWS\system32\tasklist.com ()
1/2/2007 3:35:18 PM HS 2 C:\WINDOWS\system32\tracert.com ()
1/11/2007 11:58:26 AM HS 813827 C:\WINDOWS\system32\utvwa.bak1 ()
1/11/2007 12:11:18 PM HS 814502 C:\WINDOWS\system32\utvwa.ini ()
1/10/2007 4:15:28 PM H 526 C:\WINDOWS\system32\vsconfig.xml ()
1/3/2007 12:05:28 AM HS 22541 C:\WINDOWS\system32\wvuvuuu.dll ()
1/11/2007 12:03:44 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
1/11/2007 12:04:30 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
1/11/2007 12:04:04 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
1/11/2007 12:06:32 PM H 1024 C:\WINDOWS\system32\config\software.LOG ()
1/11/2007 12:04:32 PM H 1024 C:\WINDOWS\system32\config\system.LOG ()
1/7/2007 2:26:32 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\13b4b0eb-2f3f-4137-bfed-ee80c6b685e7 ()
1/7/2007 2:26:32 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
1/4/2007 6:42:48 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\db446101-3450-4e03-a1ab-df6fe4335ffe ()
1/4/2007 6:42:48 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
1/11/2007 12:03:00 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()
1/4/2007 4:50:30 PM HS 43 C:\WINDOWS\Temp\removalfile.bat ()

Checking for CPL files...
8/4/2004 11:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
9/20/2004 2:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/4/2004 11:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
7/26/2006 3:03:14 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/4/2004 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)
8/4/2004 11:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl (Microsoft Corporation)
5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
8/3/2004 5:45:16 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxcpl.cpl (Intel Corporation)
2/9/2004 11:19:32 PM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\ALSNDMGR.CPL (Realtek Semiconductor Corp.)

Checking for Downloaded Program Files...
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/7/2004 11:03:42 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
8/7/2004 12:38:10 PM 1808 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ()
8/27/2005 6:22:14 PM 1870 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/7/2004 3:55:30 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
8/7/2004 12:52:32 PM 1410 C:\Documents and Settings\All Users\Application Data\hpzinstall.log ()
12/3/2006 1:44:28 AM 1755 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
8/7/2004 11:03:42 AM HS 84 C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
8/7/2004 3:55:30 AM HS 62 C:\Documents and Settings\HP_Owner\Application Data\desktop.ini ()
10/2/2005 11:23:28 AM 83 C:\Documents and Settings\HP_Owner\Application Data\sversion.ini ()

2nd half to follow.
 
G

· Registered
Joined
·
84 Posts
Discussion Starter · #15 ·
2nd half of winpfind.txt:

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\windows\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\windows\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{27B4831E-FA7A-4037-ACD6-8360B135B946} - = C:\WINDOWS\system32\pmnonmj.dll ()
\{4E6088E5-AD14-4881-ABDB-554D6A121465} - = C:\WINDOWS\system32\awvtu.dll ()
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc.)
\{7DA39570-5FD2-4f18-94B4-20730CB3F727} - = C:\WINDOWS\system32\qkgvjwuc.dll ()
\{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - CNisExtBho Class = c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
\{BDF3E430-B101-42AD-A544-FADC6B084872} - CNavExtBho Class = c:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP view = c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
\\ - = ()
\\ - = ()(HKCU CLSID)
\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = c:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8192 = Sun Java Console
\\NEXTID - 8196
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 =
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 = Windows Messenger
\\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - 8195 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = ()
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{DEE12703-6333-4D4E-8F34-738C4DCC2E04} - RecordNow! SendToExt = c:\Program Files\Sonic RecordNow!\shlext.dll ()
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.)
\\{7F67036B-66F1-411A-AD85-759FB9C5B0DB} - SampleView = C:\WINDOWS\system32\ShellvRTF.dll (XSS)
\\{63542C48-9552-494A-84F7-73AA6A7C99C1} - OpenOffice Property Sheet Handler = C:\Program Files\OpenOffice.org1.1.4\program\shlxthdl.dll (Sun Microsystems, Inc.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\system32\igfxpph.dll (Intel Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
hpsysdrv - c:\windows\system\hpsysdrv.exe (Hewlett-Packard Company)
HPHUPD06 - c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)
HPHmon06 - C:\WINDOWS\system32\hphmon06.exe (Hewlett-Packard)
KBD - C:\HP\KBD\KBD.EXE (Hewlett-Packard Company)
iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
Recguard - C:\WINDOWS\SMINST\RECGUARD.EXE ()
VTTimer - C:\WINDOWS\SYSTEM32\VTTimer.exe (S3 Graphics, Inc.)
NAV CfgWiz - c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe (Symantec Corporation)
IS CfgWiz - c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe (Symantec Corporation)
AGRSMMSG - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
PS2 - C:\WINDOWS\system32\ps2.exe (Hewlett-Packard Company)
Reminder - C:\Windows\Creator\Remind_XP.exe (SoftThinks)
Zone Labs Client - C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe (Zone Labs Inc.)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe (Sun Microsystems, Inc.)
Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe (Symantec Corporation)
DllRunning - rundll32.exe "C:\WINDOWS\system32\wgwhfiul.dll ()
MSConfig - C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DllRunning
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item naxjtxth
hkey HKLM
command rundll32.exe "C:\WINDOWS\system32\naxjtxth.dll",setvm
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ikqr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ikqrm
hkey HKCU
command C:\PROGRA~1\COMMON~1\ikqr\ikqrm.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item kernels1118
hkey HKLM
command C:\WINDOWS\system32\kernels1118.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\{98E75D56-0833-1033-0204-050804030001}
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Update
hkey HKLM
command "C:\Program Files\Common Files\{98E75D56-0833-1033-0204-050804030001}\Update.exe" te-110-12-0000245
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\{98E75D56-0834-1033-0204-050804030001}
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Update
hkey HKLM
command "C:\Program Files\Common Files\{98E75D56-0834-1033-0204-050804030001}\Update.exe" te-110-12-0000245
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 2

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{27B4831E-FA7A-4037-ACD6-8360B135B946} - = C:\WINDOWS\system32\pmnonmj.dll ()
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\awvtu - C:\WINDOWS\system32\awvtu.dll = ()
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\igfxcui - igfxsrvc.dll = (Intel Corporation)
\pmnonmj - pmnonmj.dll = ()
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\winuqw32 - winuqw32.dll = ()
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{267370CC-5D3B-442F-8037-129025D72947} - (Linksys Wireless-G PCI Adapter)
{B0E39B91-8E39-49E1-ACC4-5E721A32F90F} - (1394 Net Adapter)
{F14F9021-9151-4BF4-B6FE-CC337F48D456} - (VIA Rhine II Fast Ethernet Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Thanks,
Mike
 
Cheeseball81

· Retired Moderator
Joined
·
84,466 Posts
#16 ·
1. Please double click on Avenger.exe.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\csrss.exe
C:\WINDOWS\temp.exe
C:\WINDOWS\SYSTEM32\amehjjpg.dll
C:\WINDOWS\SYSTEM32\iddopxfy.dll
C:\WINDOWS\SYSTEM32\mexxafxy.exe
C:\WINDOWS\SYSTEM32\naxjtxth.dll
C:\WINDOWS\SYSTEM32\qkgvjwuc.dll
C:\WINDOWS\SYSTEM32\wgwhfiul.dll
C:\WINDOWS\SYSTEM32\winuqw32.dll
C:\WINDOWS\SYSTEM32\wvuvuuu.dll
C:\WINDOWS\system32\htxtjxan.ini
C:\WINDOWS\system32\luifhwgw.ini
C:\WINDOWS\system32\pmnonmj.dll
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\utvwa.bak1
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\naxjtxth.dll
C:\WINDOWS\system32\kernels1118.exe

Folders to delete:
C:\PROGRAM FILES\COMMON FILES\ikqr
C:\Program Files\Common Files\{98E75D56-0833-1033-0204-050804030001}
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
 
G

· Registered
Joined
·
84 Posts
Discussion Starter · #17 ·
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ejxgpdpc

*******************

Script file located at: \??\C:\WINDOWS\fvwqhfqv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\csrss.exe deleted successfully.
File C:\WINDOWS\temp.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\amehjjpg.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\iddopxfy.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\mexxafxy.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\naxjtxth.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\qkgvjwuc.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\wgwhfiul.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\winuqw32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\wvuvuuu.dll deleted successfully.
File C:\WINDOWS\system32\htxtjxan.ini deleted successfully.
File C:\WINDOWS\system32\luifhwgw.ini deleted successfully.
File C:\WINDOWS\system32\pmnonmj.dll deleted successfully.
File C:\WINDOWS\system32\regedit.com deleted successfully.
File C:\WINDOWS\system32\tasklist.com deleted successfully.
File C:\WINDOWS\system32\tracert.com deleted successfully.
File C:\WINDOWS\system32\utvwa.bak1 deleted successfully.
File C:\WINDOWS\system32\utvwa.ini deleted successfully.
File C:\WINDOWS\system32\awvtu.dll deleted successfully.


File C:\WINDOWS\system32\naxjtxth.dll not found!
Deletion of file C:\WINDOWS\system32\naxjtxth.dll failed!

Could not process line:
C:\WINDOWS\system32\naxjtxth.dll
Status: 0xc0000034



File C:\WINDOWS\system32\kernels1118.exe not found!
Deletion of file C:\WINDOWS\system32\kernels1118.exe failed!

Could not process line:
C:\WINDOWS\system32\kernels1118.exe
Status: 0xc0000034

Folder C:\PROGRAM FILES\COMMON FILES\ikqr deleted successfully.
Folder C:\Program Files\Common Files\{98E75D56-0833-1033-0204-050804030001} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Thanks,
Mike
 
G

· Registered
Joined
·
84 Posts
Discussion Starter · #19 ·
Logfile of HijackThis v1.99.1
Scan saved at 5:36:54 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27B4831E-FA7A-4037-ACD6-8360B135B946} - C:\WINDOWS\system32\pmnonmj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\qkgvjwuc.dll (file missing)
O2 - BHO: (no name) - {81C1D371-4539-4C2D-9EEA-CEDBC79CBEB0} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\wgwhfiul.dll",setvm
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnonmj - pmnonmj.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks,
Mike
 
Cheeseball81

· Retired Moderator
Joined
·
84,466 Posts
#20 ·
Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

O2 - BHO: (no name) - {27B4831E-FA7A-4037-ACD6-8360B135B946} - C:\WINDOWS\system32\pmnonmj.dll (file missing)

O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\qkgvjwuc.dll (file missing)

O2 - BHO: (no name) - {81C1D371-4539-4C2D-9EEA-CEDBC79CBEB0} - C:\WINDOWS\system32\awvtu.dll (file missing)

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\wgwhfiul.dll",setvm

O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll (file missing)

O20 - Winlogon Notify: pmnonmj - pmnonmj.dll (file missing)

O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)

Reboot, post a new log.
 
1 - 20 of 151 Posts
Status
Not open for further replies.
About this Discussion
150 Replies
3 Participants
Last post:
Cookiegal
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top